Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

oldgames.se, filost, + variants [CLOSED]

starhopper

Posted 09 August 2005 - 05:09 PM

starhopper

Member

Member

36 posts

Hello;While searching for a mis-linked MP3 file, I got the 'triple whammy' of oldgames.se, filost, and some other of their kin, a "sexsearch" webpage popping up assuring me I could hook up with local women every night, and beautiful gals are looking for me! If it's any help, tho I'm sure you guys don't need it, I think the malware is sensing my location thru ISP server addresses, as it seems to be 'following me around', filling in whatever city I'm visiting, in to their messaging.

I first tried applying the default Internet Explorer filtering, placing an outright ban on every form of the URL/addresses that I could find...and it seems that the more I applied them, the worse it got! On advice, d/l'd & installed Ad-Aware SE, and later, Spybot S&E, with limited, if any, success (the oldgames.se webpage is now blank, otherwise nothing has really changed.) Further research shows that you guys have had some good success at eliminating these pests, and I now stand in the on-deck circle, asking your indulgence in helping me to rid my system of this abhorable invasion.

I've found and ran the latest Hijack This app, and here's the logfile you ask for as part of new requests. Thanking you in advance VERY MUCH for your kind help,~J <starhopper>

Please post the latest HJT log here. Also before you copy and paste the log from Notepad into your reply here, please click on Format in the Notepad toolbar and then make sure that Wordwrap is unchecked. If it is already checked, then please click on it. Now copy and paste the log into your reply here.

starhopper

Posted 18 August 2005 - 05:58 PM

starhopper

Member

Topic Starter

Member

36 posts

Hi Tampabelle;Hey, no need for apologies....I know you folks are VERY busy - I was pretty stunned by how far down my original post/request had slipped an hour after entering it! Here is the new Hijack This Logfile you requested. FYI, I also got latest updates for Ad-Aware & Spybot S&E, & did system scans/removals with those too, immediately before running Hijack. You can't begin to know how much I appreciate your help....the problem is getting worse every day. Well, wasted enough of your time, so here goes: ~StarHopper <Jay>

tampabelle

Posted 18 August 2005 - 07:07 PM

tampabelle

Member 5k

Retired Staff

6,363 posts

Hi Jay,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following file -

C:\WINDOWS\System32\vbsys2.dll

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Dear Tampabelle;Hi....have just finished running the procedures you outlined in your response, and the requested reports are above. Was really surprised to see the additional 'nasties' Panda reported, right after running all the other scans & cleaners!

One bit of an oddity.....the Panda Scan's progress bar was barely halfway across it's full span....(last time I had looked; it took over an hour & confess I'd been distracted & not following closely...) and it stopped suddenly & a message popped up, something to the effect of: ''Default email client is either not present or incapable of completing the mailing function. Please install Microsoft Outlook as default e-mail client for future mailings.'' -- again, these not exact words, but it's close. The only options were an 'OK' button & 'Close' button. I really did not & do not want to use Outlook because of its history of being a huge door for viral & malware infections....and I actually have 3 different e-mail clients - none assigned via Windows nor the browser, but separate programs - one from my ISP, an independent (Fastermail), and Yahoo mail. But nonetheless, it looked like the 'OK' button was the only option that would avoid problems, so I went ahead and clicked it. The Panda Scan message closed immediately, and I was left with the scan report attached above. The popup message was covering the progress bar and they all closed simultaneously, so I actually didn't see whether it did complete its progress, or if it closed waiting for me to install Outlook. So, don't know if this really matters....but it's the only (possibly) 'odd' thing that happened during the whole process - and am so advising you per your request.

Well, let me get this closed & in the mail to you. Hope you're not putting in such late hours & have a super-nice weekend! Oh, and are you actually down in Tampa? My Mom's folks are from Fla....Blountstown area (panhandle) & Cocoa down by 'the Cape'. So 'hi, neighbor'! ~8)

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

C:\WINDOWS\switchagreement.txtC:\WINDOWS\XXXinternt.exe

Now open ewido and do a scan of your system.

Click on scanner

Click on Complete System Scan and the scan will begin.

You will be prompted to clean the first infection.

Select "Perform action on all infections", then proceed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report.

Save the report .txt file to your desktop or a location where you can find it easily.

Now run the CleanUp program:

*IMPORTANT NOTE*CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).

When CleanUp starts go to the Options button (right side of CleanUp screen)

Move the arrow down to "Custom CleanUp!"

Now place a checkmark next to the following (Make sure nothing else is checked!):

Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea

Empty Recycle Bins

Delete Prefetch files

Cleanup! All Users

Click OK

Then click on the CleanUp button. This will take a short while, let it do its thing.

When asked to reboot system select No

Close CleanUp

Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

starhopper

Posted 20 August 2005 - 02:47 PM

After your instructions for ewido, you say:
Download CleanUp
Install the program, dont run it yet, we will later.
QUESTION:
We've already done this....downloaded & ran. Do we need to do it again - download anew, then run later in this process?
OR - just run the one I already have installed (done just yesterday evening) - then run at the point in the process that you show?

also - At the point where you say "Now run the CleanUp program:"....you include this warning advisory:
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp"

When I ran CleanUp yesterday evening, you hadn't 'warned' me of this....but it did become somewhat apparent while it was running that everything was being deleted. My question now is - was there any "stuff" in what was deleted yesterday that I should have saved or backed up to preserve, before I made that run? Do you foresee any troubles my not doing so might cause, or have caused??

= = =
Also, for your info -- due to some installation & removal problems I had with some other software (Software Bisque's TheSKY - astronomy charting/telescope control program)...I had to install a special 'User LogOn Account'....to be able to get access to my computer! I'm a complete dumas when it comes to WinXP functions....a lost child! When going thru the previous process for CleanUp and Panda that you recommended, I discovered (to my horror) that my "Regular User" account was not accesible when I started up in Safe Mode. Luckily, I was able to fumble my way around - involving 3 or 4 restarts - and get into where I could follow your instructions. The gist of this is that I'm very uncomfortable operating & fumbling around in 'Safe Mode'....afraid I'll mess something up.

I also want to try to remove this requirement for the special 'User LogOn'....and return it to where I only have to switch on the power and have it boot up nice 'n normal. I'm working with Bisque (just received a reply from them yesterday - no action taken as yet) to try to get this accomplished...so....that's presenting its problems, too. Just so you'll know. ~8)

Well......sending the above questions to you.....holding off on any further action until I hear back from you, in order to play it safe.
Have a nice weekend!
And as always, a million thanx!!
~Jay
<><>

tampabelle

Posted 20 August 2005 - 03:06 PM

tampabelle

Member 5k

Retired Staff

6,363 posts

My bad that I asked you to install CleanUp again.

No need to install it again.

Clean Up is a simple program. It just deletes all files which are there in temporary folders. Usually when an Internet browser downloads any Active X component or a file it is first saved in a temp folder. So quite a fes infections leave their copies in the temp folder. So even if you delete the infection, it can regenerate due to the copy / installer left over in the temp folder.

By extension CleanUp deletes the cookies but these are also temp files or files which regenerate when the PC is used and certain websites are used. Prefetch folder is a folder where windows stores the settings of files / programs which are frequently used by users. So deleting these files does not in anyway effect any of the installed programs.

Safe Mode is a mode where Windows boots up with the bare minimum setup. So your Monitor, keyboard, mouse etc will work but a whole host of programs are not loaded in memory. This prevents infections to load into memory at start up and stay firmly lodged in memory, making it easier to get rid of them. Also in Safe Mode, the networking capabilities are also stopped. This means that you are not able to connect to internet. By extension, infections also cannot connect back to their servers. There is nothing extra special about Safe Mode.

There is nothing we have done to disable your existing accounts and will not do so in the future also. The fix that I have prescribed for you is safe for you to act on. Please do so and post back the logs.

If after cleaning up the PC, we still have any issues with your login accounts, then I will work out a way of restoring your original settings.

starhopper

Posted 23 August 2005 - 09:24 AM

Hi Tampa Belle!! I hope you're having a great day! D/L'd as needed, then ran all the procedures you outlined, and am posting the latest HijackThis log (#004) and the Ewido report, below.

You asked me to advise when any diffs from your steps & what actually happens - had a very minor one. At step "When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment."....this did not happen. I thus just proceeded to next action instruction in your list, ie, "On the left hand side of the main screen click update." Seemed logical, & obviously worked. ~8) FWIW, this ewido was version 3.5, in case that might be newer than your last contact....

Everything else went well, and smoothly. I was initially pretty surprised at Ewido finding 83 infections, esp. at THIS point in the game, but as it was proceeding 'doing its thing', I realized we hadn't run AdAware nor SpybusterS&D prior to these latest steps....so thought that prolly would explain the neo-boogers.

Well, hoping this is the home stretch *G*...here's your latest Readers Digest *heh*:

tampabelle

Posted 23 August 2005 - 10:27 AM

Advertisements

starhopper

Posted 23 August 2005 - 02:39 PM

starhopper

Member

Topic Starter

Member

36 posts

Hi there!
Well....I'm kinda P.O.'d to tell you the truth.
P.O.'d that I can't be there in person to do THIS:
*LOL*
You are amazing! And I can't thank you enough! It is soooo-o-o-o nice to not have those darn screens popping up every other minute....and not having to 'tiptoe on eggshells' being careful not to accidentally click on one of 'em! Bless your ever-lovin' heart, gal - that's about all I can say.

The only other thing (really) right now is that issue with the User LogOn account I had to create to regain computer access. Wanta take that on? If so, just let me know where to begin. ~8)

starhopper

Posted 25 August 2005 - 09:14 AM

starhopper

Member

Topic Starter

Member

36 posts

You last wrote:
"Hi Jay,
I will take your message in the right spirit, but my wife , yes my wife, may not do so. Lol !!!"
^^^^^^^^^
Well, wouldn't ya just know it. Open mouth, insert foot, swallow hard! Well, thank heavens you did take it in the right spirit. *G*
In my defense - one sees 'belle'....one assumes.... yeah, that too! OK, how about a hearty handshake then....from a good distance..maybe with an appreciative pat on the back - well up, say, on the shoulder area!! *LOL*

+++
"OK, I read a little bit about your issue of "User Logon Account".
I am confused as to what exactly is happening.
1) Is your regular account not working ?? or is it not working in Safe Mode only ??
2) When did the issue with The Bisque happen ?? Did you install any programs under the new account??
3) How did you create a new User Logon Account ?? Do you have administrative rights on this PC??
Please explain your issue in greater detail and I will try my best to resolve this. "

/\/\/\/\/\/\/\/\/\/\/\/\
A short background:
I am so new to WinXP, I don't even know how to tell for SURE whether I have admin rights or not! I presume so(?) - it belongs to me, not any company/employer etc, if that'll answer your question. It was originally leased to a car dealership that went belly up - my local computer shop bought all their laptops, refurb'd them & put 'em up for sale. There are no Windows nor Office installation CD's, so if I mess them up, I'm "SOL" as they told me. The 'registered owner' in Windows is that Ford dealership...something else I'd like to get changed over later, if possible. If you can tell me how to answer the admin rights question more thoroughly, will be glad to.

The new account issue:
I am an amateur astronomer. I obtained Software Bisque's "TheSKY ver6" (latest version) planetarium & telescope control program. This was a legal (non-pirated) set, registered with them. Unknown to me, it was an early issue, and there were bugs. During the install, it crashed. I found & did the recovery as profiled, and completed installation. I ran the program, configured my geolocation, etc., and while exploring the new features (I was familiar with the program, having had ver4 previously, on my desktop), a new problem occurred. <<<<

>>>>Break - Quoting from the SKY6 'Getting Started Guide':
TheSKY6 requires and installs software called the 'Microsoft.NET Framework'. After installing TheSKY6, you may notice that you have to log on to your computer. For security during installation, the '.NET' Framework installer creates a user account called 'ASP.NET' under Windows XP. This account is not malicious and can be removed using 'Start | Control Panel | User Accounts'.

If you wish to remove the requirement to log on to your computer, click 'Start | Run', enter the text 'control userpasswords2' and then click 'OK'. Clear the option 'Users Must Enter a User name and Password to Use This Machine' and then click 'OK'.

I followed this procedure. Return to regular dialog <<<<>>>>
----
The next time I powered up my laptop, it starts to boot through the first Windows XP "splash screen," and QUICKLY flashes a "logon problem" dialog box, followed IMMEDIATELY by the blue "Welcome" screen where it hangs indefinately. The only way to gain control of the computer, and boot successfully is to "furiously" hit the enter key after the first splash screen and the blue freeze screen in hopes of responding "OK" to the fleeting logon problem dialog box that appears MOMENTARILY between the two aforementioned screens.

This at least let me get aboard.

I was advised thru Bisque's User's Forum & subsequent help that I'd need to install a special log-on account...which I followed the outlined procedure & created the account "My Log On Account". BUT, wishing to return to the status of not having to go thru this rigamarole, & wanting to restore to the original settings to be able to just power up & be good-to-go, I researched the Software Bisque Knowledge Base. I found others had experienced this problem...and a fix was given. It told me to see See article 1013, entitled "How can I configure Windows XP Home so that logging on is not required?" at www.bisque.com/kb1 for a detailed explanation.
<http://www.bisque.co...ome_Log_On.htm>

I followed _that_ procedure.

Now, when I boot up, the machine goes thru the Win 'Splash Screen'...and finally settles on a 'simplified' desktop, showing only perhaps a dozen of the default installations, and I note my Windows Preferences settings (advanced mouse settings, etc.) don't seem to be present. My startup routine now consists of, once I get to this screen, taking 'Start | Log Off User | Switch User', and then selecting the old, regular 'User' button, and it exits, re-starts Windows, and finally my 'standard' desktop appears...and all is normal after that point. (And YES, I have installed SEVERAL programs on this (old) User account...eg, all the security scan/fix stuff you had me add, & others before that).

THIS having to switch over, is the rigamarole I don't wanta have to go thru every time I start up.

And I'm guessing you'll need to know what User Accounts the system now shows, so FYI, they are (from the 'control userpasswords2' command:
_User Name_.........._Group_
Administrator...........Administrator
Guest.....................Guests
My Log On Acct.......Administrators
Wilton Ford.............Administrators
----------------------------------------------------------
(The 'Wilton Ford' account is the laptop's former owner)
And the 'Users must enter a user name and password to use this computer.' block is UN-checked, per the 'Fix' procedure above.
=========================

Because of another non-related issue (another 'Bug') in SKY6, I had to un-install the entire program. A patch is available at Bisque, but I am not going to restore the program until I get this logon problem resolved.

OK...that's everything I can recall. That's the details....but I might (probably!) don't have every detail in the exact sequence of occurance, but it's pretty much everything that happened. Please feel free to ask any questions I can help you with!
And will stop there.

Run Tweak UI. Click on the + sign next to Logon. Click on Autologon. Check the box next to Log on Automatically at system Startup. Set the login account as Administrator. Set the Password. Click on OK.

starhopper

Posted 25 August 2005 - 06:48 PM

starhopper

Member

Topic Starter

Member

36 posts

Hi again;
OK - will do the steps you outline ASAP...only have time to scan briefly at the moment.
A couple of strange things. All last night & today, as windows opened on the Cloudy Nights forum I frequent, at bottom left (taskbar) of the Internet Explorer window I repeatedly got notification that a popup had been blocked. I think it was IE that was doing the blocking. Also, the loading was going a bit ununually, and the pages were taking longer than usual, seeming to 'hang up' early in the loading process.
This was so prevalent I asked the forum admin about it....and they informed me quite forcefully that they do not use pop-ups, there are none used on CN!

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.

Sincerly,
Robert Ferrew

Attachments Attachment scanning provided by: [Norton AntiVirus 2005]

Files:
signature.zip (29k)

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Note: I did run AdAwareSE and SpybotS&D and Ewido last night, and let them quarantine & clean etc. as they do.
However, I did not run any Symantec scan, nor send them any report myself - tho my 'autoupdate' might have done so.
I've never been "contacted" by them previously, and this just seems too out-of-line, and I got suspicious.

Do you think it's a legitimate contact, and factual? Needless to say I have not touched the zip attachment.
Thanx,
Jay
PS - I will be leaving first thing in the morning, & will be out of town probably thru the weekend.